Security on Z/VM
Front cover
Security on z/VM
z/VM in the enterprise security solution - Sample scenarios z/VM security features, LDAP, RACF
Cryptography with Linux guests on z/VM
Paola Bari Helio Almeida Gary Detro David Druker Marian Gasparovic Manfred Gnirss Jean Francois Jiguet Michel Raicher
ibm.com/redbooks
International Technical Support Organization
Security on z/VM
November 2007
SG24-7471-00
Note: Before using this information and the product it supports, read the information in “Notices” on page vii.
First Edition (November 2007)
This edition (SG24-7471-00) applies to the z/VM V5R3.
© Copyright International Business Machines Corporation 2007. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents
Notices ...... vii Trademarks ...... viii
Preface ...... ix The team that wrote this book ...... ix Become a published author ...... xi Comments welcome...... xi
Chapter 1. z/VM and security ...... 1 1.1 Introduction to z/VM virtualization ...... 2 1.2 z/VM security features...... 4 1.2.1 The SIE instruction ...... 5 1.2.2 System z cryptographic solution ...... 5 1.2.3 Intrusion detection...... 7 1.2.4 Accountability ...... 7 1.2.5 Certification ...... 7 1.2.6 Debugging in a virtual environment...... 9 1.2.7 Virtual networking ...... 9 1.2.8 Compliance to policy...... 10 1.3 Additional features ...... 16 1.3.1 The Resource Access Control Facility ...... 16 1.3.2 LDAP...... 17 1.3.3 z/VM VSWITCH networking ...... 18
Chapter 2. RACF feature of z/VM ...... 21 2.1 RACF z/VM concepts ...... 22 2.2 Installing and configuring RACF ...... 22 2.2.1 Post-installation tasks ...... 23 2.2.2 Build the RACF enabled CPLOAD MODULE ...... 33 2.2.3 Update the RACF database and options ...... 36 2.2.4 Place RACF into production ...... 40 2.2.5 Using HCPRWAC ...... 41 2.3 RACF management processes ...... 44 2.3.1 DirMaint changes to work with RACF ...... 44 2.3.2 RACF authorization concepts ...... 48 2.3.3 RACF passwords and password phrases...... 48 2.3.4 Adding virtual machines and resources to the system and the RACF database . 54 2.3.5 Implementing LOGONBY with RACF ...... 61 2.3.6 Managing VSWITCH and Guest LANS...... 64 2.3.7 Managing RSCS nodes ...... 67 2.4 RACF security labels...... 72 2.4.1 Security labels overview ...... 72 2.4.2 Creating a security label ...... 73 2.4.3 Security label naming restrictions ...... 73 2.4.4 Security label NONE ...... 74 2.5 RACF auditing...... 74 2.5.1 Enabling auditing ...... 74 2.5.2 RACF Data Security Monitor Utility (RACDSMON)...... 76 2.5.3 RACF SMF Data Unload Utility (RACFADU) ...... 84
© Copyright IBM Corp. 2007. All rights reserved. iii 2.5.4 RACF report writer utility (RACFRW) ...... 90 2.6 RACF database backup ...... 96 2.6.1 RACF database verification utility program (IRRUT200) ...... 96 2.6.2 RACF database Split/Merge/Extend utility program (IRRUT400) ...... 97 2.6.3 The RACF database unload utility (IRRDBU00) ...... 104 Chapter 3. z/VM LDAP server ...... 111 3.1 LDAP terminology ...... 112 3.1.1 LDIF files...... 114 3.2 z/VM LDAP ...... 115 3.2.1 LDAP client ...... 115 3.2.2 z/VM LDAP back end services ...... 116 3.2.3 Native authentication ...... 117 3.2.4 Multiple back end services ...... 118 3.2.5 Multiple servers...... 118 3.3 Installing z/VM LDAP server ...... 119 3.3.1 Implementing a new TCP/IP stack ...... 120 3.3.2 Creating the LDAP server ...... 123 3.3.3 Creating a BFS file pool VMSERVL ...... 126 3.3.4 Configuring the LDAP server ...... 129
Chapter 4. Implementing Pluggable Authentication Modules LDAP for Linux servers...... 137 4.1 PAM and Name Service Switch ...... 138 4.1.1 PAM configuration files ...... 138 4.1.2 Linux Name Service Switch ...... 138 4.2 Configuring PAM LDAP and NSS ...... 138 4.2.1 SUSE Linux...... 138 4.2.2 Red Hat Linux ...... 142 4.3 Changing the password ...... 144
Chapter 5. Enterprise integration ...... 145 5.1 Using a central z/VM LDAP server ...... 146 5.1.1 LDAP architecture choices ...... 146 5.1.2 Configuring z/VM LDAP server ...... 147 5.1.3 Verifying the LDAP server...... 150 5.1.4 Loading Linux schema and sample data in the LDBM ...... 151 5.1.5 Adding a Linux user in z/VM LDAP...... 152 5.1.6 Adapting Linux servers to use LDAP service ...... 153 5.1.7 Linux logon test...... 154 5.1.8 Summary...... 154 5.2 Sharing RACF database with another z/VM system ...... 155 5.2.1 Preparing SYSTEM1 for RACF database sharing ...... 157 5.2.2 Re-instating IBMUSER ...... 157 5.2.3 Directory entries ...... 158 5.2.4 DES encryption ...... 161 5.2.5 Initializing the RACF database on SYSTEM2...... 162 5.2.6 Database verification ...... 166 5.2.7 Summary...... 170 5.3 Sharing a RACF database with z/OS ...... 171 5.3.1 Planning RACF/VM installation...... 172 5.3.2 Installing RACF on z/VM...... 172 5.3.3 Summary...... 177
iv Security on z/VM 5.4 Using a central z/OS IBM Tivoli Directory Server ...... 177 5.4.1 LDAP architecture...... 177 5.4.2 Implementing the IBM Tivoli Directory Server for z/OS...... 178 5.4.3 Verifying the LDAP server...... 181 5.4.4 Loading the schema ...... 181 5.4.5 Loading the Linux specific schema ...... 181 5.4.6 Adding a Linux user in IBM Tivoli Directory Server for z/OS...... 182 5.4.7 Adapting Linux servers to use LDAP service ...... 183 5.4.8 Linux logon test...... 184 5.4.9 Summary...... 184 5.5 Synchronizing LDAP/RACF database with IBM Tivoli Directory Integrator...... 184 5.5.1 Architecture...... 186 5.5.2 RACF password mirroring...... 188 5.5.3 LDAP backends ...... 189 5.5.4 z/VM LDAP configuration ...... 189 5.5.5 IBM Tivoli Directory Server for z/OS configuration ...... 191 5.5.6 Verifying the GDBM backend ...... 193 5.5.7 RACF changes ...... 194 5.5.8 IBM Tivoli Directory Integrator configuration...... 196 5.5.9 Summary...... 199
Chapter 6. Cryptography on z/VM ...... 201 6.1 Secure communication to the z/VM System using SSL ...... 202 6.2 Preparing System z for the hardware encryption support ...... 204 6.2.1 Planning to use Crypto Express2 ...... 206 6.2.2 Customize the partition image profile for cryptographic usage ...... 209 6.2.3 Configuration of the cryptography adapter as coprocessor or accelerator . . . . . 212 6.3 z/VM definitions...... 220 6.3.1 Setup for a Linux guest to use cryptography cards...... 221 6.4 Using cryptography hardware support with Linux ...... 231 6.4.1 Verify availability of cryptography hardware support...... 240 6.4.2 Using OpenSSL ...... 242 6.4.3 Example: Configuring Apache 2.0 for using HW support ...... 249 6.4.4 Example of OpenSSH...... 254 6.4.5 Using PKCS#11 API ...... 254 6.4.6 Example: configure IBM HTTP server for using HW support ...... 259 6.4.7 In-kernel cryptography with Linux kernel 2.6...... 262 6.4.8 Using secure key encryption with Linux: an outlook ...... 264
Chapter 7. IBM Tivoli zSecure for z/VM RACF ...... 271 7.1 Consul InSight Suite benefits ...... 272 7.2 Tivoli zSecure Pro Suite ...... 272 7.3 Introducing Tivoli zSecure...... 274 7.3.1 CARLa ...... 274 7.3.2 Tivoli zAudit...... 275 7.3.3 Tivoli zAlert ...... 277 7.3.4 Tivoli zAdmin...... 277 7.4 Tivoli zSecure installation ...... 278 7.4.1 Creating the load library ...... 281 7.4.2 Place Tivoli zSecure in production ...... 282 7.4.3 Applying maintenance...... 282 7.4.4 Installation verification...... 283
Contents v 7.5 Configuring Consul zSecure ...... 284 7.5.1 Making the software (CKREVM EXEC) available to VM/CMS users ...... 284 7.5.2 Configuring the parm file...... 288 7.5.3 IOCONFIG file...... 289 7.5.4 Installing the license file ...... 289 7.5.5 Changing the default setup ...... 290 7.5.6 Checking the zCollect function ...... 292 7.5.7 Fresh CKFREEZE and UNLOAD ...... 293 7.5.8 TCP/IP domain name resolution ...... 293 7.6 Examples of some reports generated by Consul zSecure ...... 293 7.7 Sample UAUDIT list ...... 293 7.8 Personalized reports for RACF users with special and operations authority ...... 296
Appendix A. DirMaint implementation ...... 301 A.1 DirMaint implementation and configuration ...... 302 A.2 DirMaint installation ...... 302 A.2.1 Completing your installation of DirMaint ...... 303 A.2.2 Tailoring the DirMaint installation ...... 304 A.2.3 Placing DirMaint into production...... 305 A.3 DirMaint tailoring...... 307 A.4 DirMaint testing and operations ...... 312 A.4.1 Adding virtual machines ...... 312 A.4.2 Updating EXTENT CONTROL ...... 314 A.4.3 Adding MDISK to a Virtual Machine ...... 315 A.5 Conclusion ...... 317
Appendix B. RACF procedural checklist...... 319 B.1 RACF installation steps ...... 320
Appendix C. Additional material ...... 321 Locating the Web material ...... 321 Using the Web material ...... 321 How to use the Web material ...... 321
Related publications ...... 323 IBM Redbooks publications ...... 323 Other publications ...... 323 How to get IBM Redbooks publications ...... 324 Help from IBM ...... 324
Index ...... 325
vi Security on z/VM Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
© Copyright IBM Corp. 2007. All rights reserved. vii Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
Redbooks (logo) ® DS6000™ Processor Resource/Systems eServer™ DS8000™ Manager™ i5/OS® Enterprise Storage Server® Redbooks® z/Architecture® ESCON® RACF® z/OS® FICON® REXX™ z/VM® HiperSockets™ System z™ z/VSE™ IBM® System z9™ zSeries® IBMLink™ SQL/DS™ z9™ Lotus® Tivoli® CICS® OS/390® VM/ESA® DirMaint™ Parallel Sysplex® VTAM® DB2® Print Services Facility™ WebSphere® DS4000™ Workplace™
The following terms are trademarks of other companies:
Java, JavaScript, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
ActiveX, Internet Explorer, Microsoft, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
viii Security on z/VM Preface
Discussions about server sprawl, rising software costs, going green, or moving data centers to reduce the cost of business are held in many meetings or conference calls in many organizations throughout the world. And many organizations are starting to turn toward System z™ and z/VM® after such discussions. The virtual machine operating system has over 40 years of experience as a hosting platform for servers, from the days of VM/SP, VM/XA, VM/ESA® and especially now with z/VM. With the consolidation of servers and conservative estimates that approximately seventy percent of all critical corporate data reside on System z, we find ourselves needing a highly secure environment for the support of this infrastructure. This document was written to assist z/VM support and security personnel in providing the enterprise with a safe, secure and manageable environment.
This IBM® Redbooks® publication provides an overview of security and integrity provided by z/VM and the processes for the implementation and configuration of z/VM Security Server, z/VM LDAP Server, IBM Tivoli® Directory Server for z/OS®, and Linux® on System z with PAM for LDAP authentication.
Sample scenarios with RACF® database sharing between z/VM and z/OS, or through Tivoli Directory Integrator to synchronize LDAP databases, are also discussed in this book.
This book provides information about configuration and usage of Linux on System z with the System z Cryptographic features documenting their hardware and software configuration.
The Consul zSecure Pro Suite is also part of this document: this product helps to control and audit security not only on one system, but can be used as a single point of enterprise wide security control. This document covers the installation and configuration of this product and detailed information is presented on how z/Consul can be used to collect and analyze z/VM security data and how it can be helpful in the administration of your audit data.
The team that wrote this book
This book was produced by a team of specialists from around the world working at the International Technical Support Organization (ITSO), Poughkeepsie Center.
Paola Bari is an Advisory Programmer at the ITSO, Poughkeepsie Center. She has 22 years of experience as a systems programmer in OS/390®, z/OS, and Parallel Sysplex®, including several years of experience in WebSphere® MQ and WebSphere Application Server.
Helio Almeida is an IBM Senior IT Specialist in Brazil. He has 23 years of experience in the VM field. He has worked at IBM for 30 years. He holds a degree in Computing Technology from Instituto Tecnológico de Aeronáutica (Aeronautics Technological Institute). His areas of expertise include z/VM and Storage for System z. He has written and delivered education and Customer support extensively on z/VM.
Gary Detro is a Texan, an IBM Senior IT Specialist in the USA. He has 17 years of experience in the VM field. He has worked at IBM for 38 years. He holds a degree in Business Administration from Texas A&M at Commerce. His areas of expertise include z/VM, VM Networking, Storage for System z and Open Systems. He has written and delivered education extensively on z/VM, TCP/IP, VTAM®, RSCS, RACF/VM, DirMaint™, Linux on System z, Enterprise Storage Server®, DS4000™, DS6000™, and DS8000™.
© Copyright IBM Corp. 2007. All rights reserved. ix David Druker is a Certified Consulting IT Specialist at IBM. His current role is Tivoli Security Specialist for Americas TechWorks, where he focuses on identity integration using Tivoli Directory Integrator, Tivoli Directory Server, and Tivoli Identity Manager. David is known worldwide as an expert in Tivoli Directory Integrator and works actively with large customers, product support and development. He has over 20 years of broad technology experience that
includes programming, scientific computing, systems administration and enterprise architecture. David holds a Ph.D. in Speech and Hearing Science from the University of Iowa.
Marian Gasparovic is an IT Specialist from IBM Slovakia. He worked as an Administrator for z/OS at Business Partner for six years. He joined IBM in 2004 and now works in Field Technical Sales Support for System z in the CEMA region as a member of a new workload team. His areas of expertise include Linux, z/VM and z/OS as well as System z hardware and storage solutions.
Manfred Gnirss is an IT specialist at the IBM Technical Marketing Competence Center (TMCC) and the Linux Center of Competence, Boeblingen, Germany. He holds a PhD in theoretical physics from the University of Tuebingen, Germany. Before joining the TMCC in 2000 he worked in z/VM and z/OS development for more than 12 years. Currently he is involved in several Linux for System z Proof-of-Concept projects and customer projects running at the TMCC.
Jean Francois Jiguet is a certified IBM IT specialist in system management from France. He has 27 years of experience in the computer industry field. His expertise area are VM, Linux, VSE and System z hardware. He has experience in teaching, products support and software implementation services.
Michel Raicher is a Senior Programmer in Tucson, Arizona. He has 20 years of experience in z/VM System Test. He has worked at IBM for 34 years. His areas of expertise include Networking (OSA and CISCO), z/VM Vswitch, TCP/IP, ISFC, MCDS, SFS, BFS, NFS and SCSI for z/VM. He has worked testing early versions of Linux on System z and z/OS Networking under z/VM. He has supported the z/VM Lab raised floor for many years, and worked on early Hardware testing.
Thanks to the following people for their contributions to this project:
Richard Conway, Roy Costa, Robert Haimowitz International Technical Support Organization, Poughkeepsie Center
Jay Leiserson IBM Austin
Arthur Winterling IBM Boeblingen
Alan Altmark, Doug Barnhart, Karen Gardner, Michael Wilkins IBM Endicott
Jack Hoarau, Yann Kindelberger, Patrick Kappeler IBM Montpellier
Hans Schoone IBM Netherlands
John Dayka, Peter Spera, Michael Tebolt, Ross Uhlfelder, Bruce Wells IBM Poughkeepsie
x Security on z/VM Become a published author
Join us for a two- to six-week residency program! Help write a book dealing with specific products or solutions, while getting hands-on experience with leading-edge technologies. You will have the opportunity to team with IBM technical professionals, Business Partners, and Clients.
Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you will develop a network of contacts in IBM development labs, and increase your productivity and marketability.
Find out more about the residency program, browse the residency index, and apply online at: ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
We want our books to be as helpful as possible. Send us your comments about this book or other IBM Redbooks in one of the following ways: Use the online Contact us review Redbooks form found at: ibm.com/redbooks Send your comments in an e-mail to: [email protected] Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400
Preface xi
xii Security on z/VM
1
Chapter 1. z/VM and security
This chapter discusses the security aspects of z/VM facilities and introduces how z/VM virtualization can provide a secure isolation between guests on System z. The chapter also discusses Resource Access Control Facility(RACF) and Ligthweight Directory Access Protocol (LDAP) on z/VM and how you can use them to allow an enterprise wide point of control.
M has the System z hardware resources virtualization architecture built in the software through the concept of the virtual machine. z/VM Virtual Machine is also referred to as user IDs, guests or hosts.
z/VM can host multiple operating systems as guests of the virtual machines by emulating the System z hardware within that same hardware, while providing extra features and benefits that are implemented in software in a more cost effectively way.
Virtualization of the machine enables you to do the following: Manage many servers using universal management tools Reduce management costs Maximize the utilization of existing hardware
Like all System z operating systems, z/VM can run alone or share the mainframe with others by using the LPAR capabilities of System z. z/VM can either virtualize the same System z server it is running on, or emulate hardware features that are not necessarily installed on that particular model of server, and it can provide a customized environment for each guest.
z/VM provides System z features to the guest operating systems transparently and simultaneously, without the need of having a physical server per guest. At the same time, z/VM can isolate each guest operating system and handle access to real devices as needed.
© Copyright IBM Corp. 2007. All rights reserved. 1 The Start Interpretive Execution Instruction (SIE) available on the System z can create the environment for Virtual Machines (user IDs). Most of the of instructions are executed by the hardware with little z/VM intervention. The SIE is implemented on the System z by the Interpretive Execution Facility. The z/VM Control Program gets an interruption when the hardware detects conditions such as Timer expiration, unassisted Input Output operation
(I/O), instructions that require some privileges and Program Interrupts. SIE also handles the usage of region, segment and page tables previously set up by the z/VM Control Program for the user ID. SIE instruction is available only on System z, and it is exploited by z/VM to decrease Control Program overhead.
In addition to SIE, some of the newer System z provide I/O assist functions to QUEUE DIRECT I/O(QDIO), used by System z adapters such as Networking and Fibre Channel Protocol (FCP) to assist reducing the amount of interrupts passed to the z/VM Control Program.
Resources that can be shared between guests are CPU, real memory, disk volumes, network adapters, printers, and devices specific to System z such as cryptographic cards. It also supports the latest Storage Area Network (SAN) and virtual tape library systems. For example, in the case of disk storage, z/VM is capable of partitioning a disk volume and assigning portions to each guest. Control of read-only and read-write access, or none at all, is at the discretion of the z/VM administrator.
The number of guests that z/VM can operate concurrently is limited only by the amount of resource available to the System z. This is in contrast to LPARs which have a fixed limit to the number of LPARs, dependent on the System z used.
Guests of a z/VM host run within user IDs, or just “ID”, for short. Typically, people logging on to z/VM are called “users”, whereas automated user IDs are known as “service machines” and run in a disconnected state, that means without a console or display terminal attached.
1.1 Introduction to z/VM virtualization
z/VM has the System z hardware resources virtualization architecture built into the software through the concept of the virtual machine. z/VM virtual machine is also referred to as user IDs, guests, or hosts. z/VM can host multiple operating systems as guests of the virtual machines by emulating the System z hardware within that same hardware, while providing extra features and benefits that are implemented in software in a more cost effective way.
Virtualization of the machine enables you to: Manage many servers using universal management tools Reduce management costs Maximize the utilization of existing hardware
Like all System z operating systems, z/VM can run alone or share the mainframe with z/VM, Linux for System z or z/OS using the LPAR capabilities of System z. z/VM can either virtualize the same System z server on which it is running or can emulate hardware features that are not necessarily installed on that particular model of server. It can also provide a customized environment for each guest.
z/VM provides System z features to the guest operating systems transparently and simultaneously, without having a physical server per guest. At the same time, z/VM can isolate each guest operating system and handle access to real devices as needed.
2 Security on z/VM The Start Interpretive Execution Instruction (SIE) that is available on System z can create the environment for virtual machines (user IDs). Most of the of instructions are executed by the hardware, with little z/VM intervention. The SIE is implemented on the System z by the Interpretive Execution Facility. The z/VM Control Program gets an interruption when the hardware detects conditions such as Timer expiration, unassisted Input Output operation
(I/O), instructions that require some privileges, and Program Interrupts. SIE also handles the use of region, segment, and page tables that were set up previously by the z/VM Control Program for the user ID. SIE instruction is available only on System z, and it is exploited by z/VM to decrease Control Program overhead.
In addition to SIE, some of the newer System z provide I/O assist functions to QUEUE DIRECT I/O (QDIO) that is used by System z adapters such as Networking and Fibre Channel Protocol (FCP) to reduce the amount of interrupts that are passed to the z/VM Control Program. Resources that can be shared between guests are CPU, real memory, disk volumes, network adapters, printers, and devices specific to System z such as cryptographic cards. It also supports the latest Storage Area Network (SAN) and virtual tape library systems. For example, in the case of disk storage, z/VM is capable of partitioning a disk volume and assigning portions to each guest. Control of read-only and read-write access, or none at all, is at the discretion of the z/VM administrator.
The number of guests that z/VM can operate concurrently is limited only by the amount of resource that is available to the System z. This is in contrast to LPARs which have a fixed limit to the number of LPARs that are dependent on the System z used.
Guests of a z/VM host run within user IDs, or just ID for short. Typically, people logging on to z/VM are called users, whereas automated user IDs are known as service machines and run in a disconnected state (which means without a console or display terminal attached). z/VM user definition and part of z/VM security is accomplished by the z/VM directory. The directory is encrypted on the DASD to avoid hacking its contents. To allow multiple users to change and maintain the directory, your installation can use a directory Control Program such as Directory Maintenance Facility (DirMaint). You can configure DirMaint to allow specific levels of change control as needed to specifics administrators and to the users. For more information about DirMaint, go to Appendix A, “DirMaint implementation” on page 301. z/VM isolation between users and security can be enhanced using RACF. RACF allows a deep and more flexible security implementation than z/VM controls. You can configure RACF to control z/VM commands and resources and to define who can access these resources and at what level of authority.
Chapter 1. z/VM and security 3 1.2 z/VM security features
z/VM is today’s version of a hypervisor operating system. Virtual machine design began in the early 1960s, when IBM was exploring how to meet customer expectations using virtualization. The development of virtual machine was closely tied to the development of virtual storage, because they needed to operate together. The core of z/VM (that is, the hypervisor), is actually the Control Program. The Control Program creates and maintains virtual environments for virtual machines (guests).
Figure 1-1 represents a z/VM system with multiple guests.
z/VM CP
z/OS VM Linux Linux Linux Linux z/VM guest IPL Guest VM Guest VM Guest VM Guest VM Guest VM Guest VM and resident z/OS Linux Linux Linux Linux CP
virtual virtual virtual virtual virtual virtual devices devices devices devices devices devices z/VM guest IPL Guest and resident "minidisks"
Guest LAN IUCV VCTC VLAN Guest OS operators
HiperSockers z/VM guest IPL and resident
PCI FICON OSA IFL Crypto Channel Express zSeries hardware z/VM guest IPL and resident
z/VM operator Figure 1-1 z/VM implementation with multiple guests
Note the following points: Only the Control Program is IPLed using the actual hardware IPL sequence. The guest IPL sequence is simulated by the Control Program. The Control Program operator console is actually providing Control Program emulated hardware consoles for the guest virtual environment. Control Program commands, on top of the guest IPL command, are providing, for example, the equivalent of a System reset or Restart hardware functions for the guest machines. The operating systems running in each guest have their usual operator console, which are physically connected through I/O channels to their respective operating systems. z/VM has its own scheme of disk storage partitioning, known as minidisks, that the Control Program uses to share one physical disk among several guests.